Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(796)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/x509_certificate.cc

Issue 762013002: Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard ha… (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/cert/x509_certificate_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/x509_certificate.h" 5 #include "net/cert/x509_certificate.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 #include <map> 10 #include <map>
(...skipping 611 matching lines...) Expand 10 before | Expand all | Expand 10 after
622 // as we require the wildcard (if present) to match at least one character. 622 // as we require the wildcard (if present) to match at least one character.
623 if (presented_name.length() > reference_name.length()) 623 if (presented_name.length() > reference_name.length())
624 continue; 624 continue;
625 625
626 base::StringPiece presented_host, presented_domain; 626 base::StringPiece presented_host, presented_domain;
627 SplitOnChar(presented_name, '.', &presented_host, &presented_domain); 627 SplitOnChar(presented_name, '.', &presented_host, &presented_domain);
628 628
629 if (presented_domain != reference_domain) 629 if (presented_domain != reference_domain)
630 continue; 630 continue;
631 631
632 base::StringPiece pattern_begin, pattern_end; 632 if (presented_host != "*") {
633 SplitOnChar(presented_host, '*', &pattern_begin, &pattern_end);
634
635 if (pattern_end.empty()) { // No '*' in the presented_host
636 if (presented_host == reference_host) 633 if (presented_host == reference_host)
637 return true; 634 return true;
638 continue; 635 continue;
639 } 636 }
640 pattern_end.remove_prefix(1); // move past the *
641 637
642 if (!allow_wildcards) 638 if (!allow_wildcards)
643 continue; 639 continue;
644 640
645 // * must not match a substring of an IDN A label; just a whole fragment. 641 return true;
646 if (reference_host.starts_with("xn--") &&
647 !(pattern_begin.empty() && pattern_end.empty()))
648 continue;
649
650 if (reference_host.starts_with(pattern_begin) &&
651 reference_host.ends_with(pattern_end))
652 return true;
653 } 642 }
654 return false; 643 return false;
655 } 644 }
656 645
657 bool X509Certificate::VerifyNameMatch(const std::string& hostname, 646 bool X509Certificate::VerifyNameMatch(const std::string& hostname,
658 bool* common_name_fallback_used) const { 647 bool* common_name_fallback_used) const {
659 std::vector<std::string> dns_names, ip_addrs; 648 std::vector<std::string> dns_names, ip_addrs;
660 GetSubjectAltName(&dns_names, &ip_addrs); 649 GetSubjectAltName(&dns_names, &ip_addrs);
661 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs, 650 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs,
662 common_name_fallback_used); 651 common_name_fallback_used);
(...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after
762 RemoveFromCache(cert_handle_); 751 RemoveFromCache(cert_handle_);
763 FreeOSCertHandle(cert_handle_); 752 FreeOSCertHandle(cert_handle_);
764 } 753 }
765 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { 754 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
766 RemoveFromCache(intermediate_ca_certs_[i]); 755 RemoveFromCache(intermediate_ca_certs_[i]);
767 FreeOSCertHandle(intermediate_ca_certs_[i]); 756 FreeOSCertHandle(intermediate_ca_certs_[i]);
768 } 757 }
769 } 758 }
770 759
771 } // namespace net 760 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/cert/x509_certificate_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698